An email discovered last year that was sent from North Korea’s internet infrastructure offers a rare look at how DPRK software developers market their work abroad. While most recent reporting has focused on North Korean IT workers fraudulently obtaining jobs at Western companies, the documents attached to this message appear to represent something different: a catalog of domestically developed software being pitched to commercial partners overseas.

As reported by Daily NK in late 2025, North Korea had previously sent around one hundred IT workers to the Chinese border city of Dandong in order to work on app development as well as website work. These workers were typically assigned in groups of fifteen and living in rented apartments overseas with the goal of earning foreign currency for the regime. While there is plenty of coverage of the employment scams conducted by the Reconnaissance General Bureau (RGB), outsourced labor to foreign markets is less covered.

The email in question originated from a @star-co.net.kp address with an origin IP of 175.45.178.55 and an internal relay of 172.31.6.4. (This IP has been added to the Kwangmyong infrastructure page, check it out if you haven’t already.) One detail in the headers worth calling out are the date headers. The email’s date shows a time stamp of 16:24:09 +0800 (China Standard Time), while the SMTP relay records 21:09:32 +0900 (Korean Standard Time). The offset on the machine writing the email points to an operator likely working out of China, which is consistent with the pattern of DPRK IT teams operating in cities such as Shenyang, Dandong, or Dalian while maintaining connections back to DPRK infrastructure for operational activity.

The message was clearly aimed at the Middle Eastern and North African telecom market, referencing the recipient’s role representing companies across the region.

Let’s dig into the documents a little more to get a better idea of the software catalog offered by North Korea to overseas clients. The three documents included in the email include information around Android application hardening, AI, computer vision, mobile surveillance, and reverse engineering. Taken together these offer a window into capabilities of North Korean IT workers across not just exported work but potentially other malicious activity.

Document 1 – Android APK Hardening

The first product mentioned in the documents is an Android application referred to as APK-GUARD which is designed to protect against the reverse engineering of Android apps. The document also includes a feature comparison table against named competitors and explicitly calls out it’s protection of C# DLL libraries as a unique differentiator compared to the other tools listed.

Several other capabilities described include SO library obfuscation, anti-dump (which defeats memory analysis tools by zeroing critical code sections during execution), anti-patch (which detects and rejects modified APKs), anti-emulator , and device-specific license key enforcement.

Probably the most interesting feature is what the document refers to as “Anti-Remote Attach” which helps protect against IDA Pro’s remote debugging capability.

Document 2 – Android Surveillance

The second document describes a comprehensive Android surveillance platform consisting of a web based control server and a silent terminal implant installed on a target device. The document is straightforward about what the software’s purpose is, describing it as a “target-monitoring program” designed to “remotely monitor the position, conversation, message and ambient environment” of a specified person.

A detailed feature list from the document includes the following functionality:

• Function to detect current position of terminal and send positional information to server
• Function to send information on move route to server in real-time
• Function to record T/R conversation at terminal and send information to server
• Function to display and search address book of person to be monitored
• Function to search for and play recorded file
• Function for setting for message stealing
• Function to search for address book of person to be monitored
• Function to search for and read message
• Function for recording at spot terminal and sending to server
• Function for real-time wiretapping at spot terminal in server
• Function to steal address book of terminal and send it to server
• Function to lock & unlock screen of terminal

This provides some additional details into what we already know about North Korea’s domestic mobile phone surveillance. As documented by North Korea Tech, all North Korean smartphones ship with a built in application called Trace Viewer, which takes random screenshots and stores them in a local database on the device. The current understanding is that the screenshots aren’t being actively transmitted, but that the awareness of their existence is enough to deter users from illicit activity.

Document 3 — The Capability Portfolio

The third document does not describe a single product like the other two, but instead lays out the capabilities of what it calls “our developing team.” Based on the DTEX reporting on the DPRK cyber structure, a group with a commercially oriented profile that is pitching software exports openly most likely sits as a lower tier unit under the Reconnaissance General Bureau (RGB) or possibly the Workers’ Party of Korea (KWP).

The capabilities of this group are wide ranging and include leads off with information about their AI development capabilities, but also details capabilities including: image processing including facial recognition, license plate recognition (LPR), eye monitoring, people counting, fire and smoke detection, web development, and software engineering.

The image processing capabilities of North Korea are also highlighted here and an interesting tie to later developments in the company. In a report from the Stimson Center one section in their report specifically calls out an expanding road traffic surveillance network.

The AI piece is also worth mentioning, not just due to it’s increasing popularity across the world. These documents are from 2022, but North Korea’s investment in AI goes back much further. A 2017 Korea Times report on a Korea Development Bank research paper noted that North Korea began AI development as far back as 1990 and had been a genuine international competitor in the field by the early 2000s. The team lists TensorFlow and Caffe as their frameworks — and given what we know from North Korean researchers’ own published work, GPU scarcity is a real constraint.

What This Tells Us

The covert IT worker scheme gets most of the attention and for good reason. However this email documents another strategy by the regime for earning foreign currency. By shopping domestic software abroad and targeting a regional intermediary North Korea potentially faces less scrutiny than they would in the US or EU. The surveillance suite reflects years of domestic mobile security engineering by people who have been building monitoring tools for state use long before they started selling them abroad. The AI and computer vision portfolio points to a decades-long national investment in machine learning that has continued quietly regardless of sanctions and hardware limits.

As always if you have any additional details to share around North Korea’s software catalog feel free to reach out: contact@nkinternet.com

There’s also a Substack you can subscribe to if that’s your jam: https://substack.com/home/post/p-190207737

References

1. Daily NK — “N. Korea sends 100 IT workers to new base in Chinese border city” (Oct 2025)
2. North Korea Tech — “North Korea upgrades its Android security” (Jan 2024)
3. Korea Times — “North Korea was once AI powerhouse” (Oct 2017)
4. Daily NK — “N. Korea releases details about real-time LPR technology”
5. Stimson Center — “Digital Surveillance in North Korea: Moving Toward a Panopticon State” (2024)
6. Synaptic Security — “Why Is a North Korean Mail Server Using a .cc Domain?” (2025)